Even if you enable PortFast on a port, by default that port still generates configuration BPDUs. Any connected device receives and might process configuration BPDUs unnecessarily. You can configure a feature called BPDU Filter, which prevents a PortFast-enabled port from sending configuration BPDUs. If configuration BPDUs are received on the PortFast-enabled port, the port either loses its PortFast status (or is manually shut down if BPDU guard is configured), or it ignores the BPDUs, depending on how you configure BPDU Filter.
Configuring BPDU Filter so that all configuration BPDUs received on a port are dropped can be useful for service provider environments, where a service provider provides Layer 2 Ethernet access for customers. Figure 4-27 demonstrates such a scenario.
Figure 4-27. Service Provider Scenario
In Figure 4-27, the service provider has many customers attached via Layer 2 Ethernet connections. Ideally, the service provider does not want to share any spanning-tree information with customers, because such sharing might jeopardize the stability of the service provider's internal spanning-tree topology. By configuring PortFast and BPDU Filter on each customer access port, the service provider will not send any configuration BPDUs to customers and will ignore any configuration BPDUs sent from customers.
Configuring the BPDU Filter feature to ignore any configuration BPDUs received on a port can result in a loop forming that is never detected. Use this feature with care, ensuring there is no possibility for looping.
Enabling PortFast BPDU Filter
The PortFast BPDU Filter feature is currently supported only on CatOS and is not supported on any Cisco IOS-based switches, except for the native IOS Catalyst 6000/6500 from IOS release 12.1(11b)EX onwards. By default, the feature is disabled and can be enabled or disabled either globally or explicitly for each PortFast port. If you configure the feature globally, BPDU Filter applies to all PortFast-enabled ports, and if any configuration BPDUs are received on a PortFast-enabled port, the port immediately loses its PortFast status and returns to a normal STP port configuration. If you configure the feature explicitly on a PortFast-enabled port, any configuration BPDUs received are ignored and dropped.
To enable PortFast BPDU Filter globally on a CatOS switch, you use the following command:
set spantree global-default bpdu-filter [enable | disable]
To enable PortFast BPDU Filter for a specific port on a CatOS switch, you use the following command:
set spantree portfast bpdu-filter mod/port [enable | disable | default]
The default parameter configures the port to inherit the global BPDU Filter configuration.
Referring back to the topology of Figure 4-26, assume that you wish to enable the PortFast BPDU filter on each of the PortFast ports on Switch-D, and you want Switch-D to ignore any configuration BPDUs received on port 2/3. Example 4-46 demonstrates the configuration required on Switch-D.
Example 4-46. Configuring PortFast BPDU Filter on Switch-D
Switch-D> (enable) set spantree global-default bpdu-filter enable Spantree global-default bpdu-filter enabled on this switch. Switch-D> (enable) set spantree portfast bpdu-filter 2/3 enable Warning:Ports enabled with bpdu filter will not send BPDUs and drop all received BPDUs. You may cause loops in the bridged network if you misuse this feature. Spantree port 2/3 bpdu filter enabled.
In Example 4-46, because port 2/3 has BPDU Filter explicitly configured, it does not send any configuration BPDUs and ignores any configuration BPDUs received. All other PortFast-enabled ports inherit the global BPDU Filter configuration, which means they do not send any configuration BPDUs, but transition out of a PortFast state to a normal STP port if configuration BPDUs are received.